CVE-2025-61772
published 2025-10-07CVE-2025-61772: Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.85%
53.5th percentile
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected. Versions 2.2.19, 3.1.17, and 3.2.2 cap per-part header size (e.g., 64 KiB). As a workaround, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx `client_max_body_size`).
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-rack | < ruby-rack 2.2.20-0+deb12u1 (bookworm) | ruby-rack 2.2.20-0+deb12u1 (bookworm) |
| rack | rack | < 2.2.19 | 2.2.19 |
| rack | rack | — | — |
| rack | rack | — | — |
| rack | rack | >= 0 < 2.2.19 | 2.2.19 |
| rack | rack | >= 3.1 < 3.1.17 | 3.1.17 |
| rack | rack | >= 3.1.0 < 3.1.17 | 3.1.17 |
| rack | rack | >= 3.2 < 3.2.2 | 3.2.2 |
| rack | rack | >= 3.2.0 < 3.2.2 | 3.2.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ruby-rack vulnerabilities
osv·2026-01-14·CVSS 7.5
CVE-2025-59830 [HIGH] ruby-rack vulnerabilities
ruby-rack vulnerabilities
It was discovered that Rack incorrectly handled certain query parameters.
An attacker could possibly use this issue to cause a limited denial of
service. This issue was only addressed in Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2025-59830)
It was discovered that Rack did not properly handle certain multipart
form data. An attacker could possibly use this issue to cause memory
exhaustion, leading to a denial of service. This issue was only addressed
in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-61770, CVE-2025-61772)
It was discovered that Rack did not properly handle certain form fields.
An attacker could possibly use this issue to cause memory exhaustion,
leading to a denial of service. This issue was only addressed in Ubuntu
22.04 LTS,
OSV
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
osv·2025-10-07
CVE-2025-61772 [HIGH] Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
## Summary
`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).
## Details
While reading multipart headers, the parser waits for `CRLFCRLF` using:
```ruby
@sbuf.scan_until(/(.*?\r\n)\r\n/m)
```
If the terminator never appears, it continues appending data (`@sbuf.concat(content)`) indefinitely. There is no limit on accumulated header bytes, so a single malformed part can consume memory proportional to the request body size.
## Impact
Attacker
OSV
CVE-2025-61772: Rack is a modular Ruby web server interface
osv·2025-10-07·CVSS 7.5
CVE-2025-61772 [HIGH] CVE-2025-61772: Rack is a modular Ruby web server interface
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected. Versions 2.2.19, 3.1.17, and 3.2.2 cap per-part header size (e.g., 64 KiB). As a workaround, restrict maximum request sizes at the proxy or web se
GHSA
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
ghsa·2025-10-07
CVE-2025-61772 [HIGH] CWE-400 Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
## Summary
`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).
## Details
While reading multipart headers, the parser waits for `CRLFCRLF` using:
```ruby
@sbuf.scan_until(/(.*?\r\n)\r\n/m)
```
If the terminator never appears, it continues appending data (`@sbuf.concat(content)`) indefinitely. There is no limit on accumulated header bytes, so a single malformed part can consume memory proportional to the request body size.
## Impact
Attacker
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2026-01-14·CVSS 7.5
CVE-2025-61771 [HIGH] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Several security issues were fixed in Rack.
It was discovered that Rack incorrectly handled certain query parameters.
An attacker could possibly use this issue to cause a limited denial of
service. This issue was only addressed in Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2025-59830)
It was discovered that Rack did not properly handle certain multipart
form data. An attacker could possibly use this issue to cause memory
exhaustion, leading to a denial of service. This issue was only addressed
in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-61770, CVE-2025-61772)
It was discovered that Rack did not properly handle certain form fields.
An attacker could possibly use this issue to cause memory exhaustion,
leading to a denial of serv
Red Hat
rack: Rack memory exhaustion denial of service
vendor_redhat·2025-10-07·CVSS 7.5
CVE-2025-61772 [HIGH] CWE-400 rack: Rack memory exhaustion denial of service
rack: Rack memory exhaustion denial of service
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected. Versions 2.2.19, 3.1.17, and 3.2.2 cap per-part header size (e.g., 64 KiB). As a workaround, restr
Debian
CVE-2025-61772: ruby-rack - Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17...
vendor_debian·2025·CVSS 7.5
CVE-2025-61772 [HIGH] CVE-2025-61772: ruby-rack - Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17...
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected. Versions 2.2.19, 3.1.17, and 3.2.2 cap per-part header size (e.g., 64 KiB). As a workaround, restrict maximum request sizes at the proxy or web se
No detection rules found.
No public exploits indexed.
2025-10-07
Published